Description: "stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer over-read in stbi__tga_load, leading to Information Disclosure or Denial of Service." No upstream fix yet.
Additional vulnerabilities: 2) CVE-2019-13217 Description: "A heap buffer overflow in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file." 3) CVE-2019-13218 Description: "Division by zero in the predict_point function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file." 4) CVE-2019-13219 Description: "A NULL pointer dereference in the get_window function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file." 5) CVE-2019-13220 Description: "Use of uninitialized stack variables in the start_decoder function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file." 6) CVE-2019-13221 Description: "A stack buffer overflow in the compute_codewords function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or execute arbitrary code by opening a crafted Ogg Vorbis file." 7) CVE-2019-13222 Description: "An out-of-bounds read of a global buffer in the draw_line function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service or disclose sensitive information by opening a crafted Ogg Vorbis file." 8) CVE-2019-13223 Description: "A reachable assertion in the lookup1_values function in stb_vorbis through 2019-03-04 allows an attacker to cause a denial of service by opening a crafted Ogg Vorbis file." --- Same patch for all: https://github.com/nothings/stb/commit/98fdfc6df88b1e34a736d5e126e6c8139c8de1a6
Adding a few more CVE's since this was not fixed. CVE ID: CVE-2020-6623 Summary: stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff_get_index. Published: 2020-01-08T23:15:00.000Z -------------------------------------------------------------------------------- State: NEW Bugs: CVE-2020-6622 CVE ID: CVE-2020-6622 Summary: stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__buf_peek8. Published: 2020-01-08T23:15:00.000Z -------------------------------------------------------------------------------- State: NEW Bugs: CVE-2020-6621 CVE ID: CVE-2020-6621 Summary: stb stb_truetype.h through 1.22 has a heap-based buffer over-read in ttUSHORT. Published: 2020-01-08T23:15:00.000Z -------------------------------------------------------------------------------- State: NEW Bugs: CVE-2020-6620 CVE ID: CVE-2020-6620 Summary: stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__buf_get8. Published: 2020-01-08T23:15:00.000Z -------------------------------------------------------------------------------- State: NEW Bugs: CVE-2020-6619 CVE ID: CVE-2020-6619 Summary: stb stb_truetype.h through 1.22 has an assertion failure in stbtt__buf_seek. Published: 2020-01-08T23:15:00.000Z -------------------------------------------------------------------------------- State: NEW Bugs: CVE-2020-6618 CVE ID: CVE-2020-6618 Summary: stb stb_truetype.h through 1.22 has a heap-based buffer over-read in stbtt__find_table. Published: 2020-01-08T23:15:00.000Z -------------------------------------------------------------------------------- State: NEW Bugs: CVE-2020-6617 CVE ID: CVE-2020-6617 Summary: stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff_int. Published: 2020-01-08T23:15:00.000Z -------------------------------------------------------------------------------- State: NEW Bugs:
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9049f05e1e9c725bb72e3769ba3f114c0d884c3a commit 9049f05e1e9c725bb72e3769ba3f114c0d884c3a Author: Dennis Lamm <expeditioneer@gentoo.org> AuthorDate: 2020-06-16 04:44:18 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-07-01 06:38:31 +0000 dev-libs/stb: version bump 20200205 Closes: https://bugs.gentoo.org/696726 Bug: https://bugs.gentoo.org/711274 Signed-off-by: Dennis Lamm <expeditioneer@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/16264 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/stb/Manifest | 1 + dev-libs/stb/stb-20200205.ebuild | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+)
Hm. Everything but the original vulnerability was fixed. Let's use this bug for all the others, then come back and do the original in another bug, I guess. @maintainer, let us know when ready to stable.
Any objections, or we'll stable?
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47e175b2635de2e1eb7a48ccd06ee015f4aa397f commit 47e175b2635de2e1eb7a48ccd06ee015f4aa397f Author: Sam James <sam@gentoo.org> AuthorDate: 2020-09-17 23:26:45 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-09-17 23:26:47 +0000 dev-libs/stb: security cleanup Bug: https://bugs.gentoo.org/711274 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/stb/Manifest | 1 - dev-libs/stb/stb-20180211.ebuild | 34 ---------------------------------- 2 files changed, 35 deletions(-)
